Researcher blasts Siemens for downplaying SCADA threat

The security researcher who last week voluntarily canceled a talk on critical vulnerabilities in Siemens' industrial control systems took the German giant to task Monday for downplaying the problem.

Dillon Beresford, a researcher with NSS Labs, took exception to Siemens' claim that the vulnerabilities he and colleague Brian Meixell uncovered had been discovered "while working under special laboratory conditions with unlimited access to protocols and controllers."

"There were no 'special laboratory conditions' with 'unlimited access to the protocols.' My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory," said Beresford in a message posted on a public security mailing list. "[And] I purchased the controllers with money my company so graciously provided me with."

While Siemens promised last week that it would patch the bugs, it downplayed the threat to its industrial control systems, and the thousands of companies that rely on Siemens' PLC (programmable logic control) systems, argued Beresford.

"It's very discouraging...when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public," Beresford said in a follow-up message on the SCADASEC mailing list. "It sends out the wrong message to people who are trying to do the right thing."

Industrial control systems like Siemens' monitor and manage everything from oil drilling rig equipment and power plant operations to skyscraper elevators and high-speed trains in Japan.

Dubbed SCADA for "supervisory control and data acquisition," the systems and their security have been under intense scrutiny since the Stuxnet worm was discovered almost a year ago. Stuxnet, a worm that some experts have called "groundbreaking," is believed to have been built to sabotage Iran's nuclear program, particularly the gas centrifuges the country uses to enrich uranium.

Stuxnet was the first in-the-wild worm that attacked SCADA systems.

Rick Moy, the CEO of NSS Labs, and Beresford's boss, backed up his researcher in an interview Monday.

"Siemens chose to use language that's vague and misleading," said Moy of Siemens' statement last week where it implied that the flaws would be very difficult to exploit. "They tried to downplay the impact to their customers. That's what was concerning to us."

Beresford and Meixell pulled their presentation on their own accord after consulting with Siemens and the U.S. Department of Homeland Security (DHS), who expressed concerns about potential use of the information by hackers.

But Moy said Siemens' customers deserve to know more.

"The right thing [for Siemens] to do for customers is to let them know they need to reevaluate how their networks are architected," Moy said. "These issues completely obviate the need for the software, and allow an attacker to directly access the PLCs."

Stuxnet exploited vulnerabilities in Windows to infect computers that ran Siemens SCADA software, giving the attackers access to the software that in turn controlled PLC devices.

"This is a completely different class of vulnerabilities than Stuxnet exploited," said Moy. "It's more serious than Stuxnet."

NSS Labs will not publicly release technical details about the PLC vulnerabilities, nor proof-of-concept exploit code, Moy continued. But the company will do an end-around Siemens and discuss the flaws with SCADA operators that it's confirmed are legitimate.

In the next week or two, NSS Labs will demonstrate the impact of the vulnerabilities to SCADA operators on an invitation-only basis. Moy asked concerned users of Siemens PLC devices to contact the company for more details on the demonstrations NSS Labs plans to host at its Carlsbad, Calif. office.

At the same time, NSS Labs will also outline possible mitigation steps users can take to protect their SCADA systems from attack.

Moy felt that was the right path to take. "The companies who own these devices are up in arms over Siemens' slow response," Moy said.

In the meantime, he had little advice for companies using Siemens PCL devices. "Unplug your stuff," said Moy.

"Actually, it's not as simple as that," he continued. "But waiting for a fix from Siemens is not the best that you can do."

He declined to be more specific about what steps SCADA operators can take.

But he had hopes the latest discoveries would prompt Siemens to act and push SCADA operators to pay more attention to security.

"The bright side to this is that these aren't the only vulnerabilities. There are definitely even bigger issues for industrial control operators," said Moy. "The visibility of these vulnerabilities will hopefully give the industry more momentum toward better security, and force it to address the problems."

Siemens did not reply to a request for comment on Beresford's and Moy's claims that the company was minimizing the threat to SCADA systems and the industrial systems they manage.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.